82,793 views

Massive Intel Vulnerabilities Just Landed -- And Every PC User On The Planet May Need To Update

Credit: David Paul Morris/Bloomberg

Rumors had been flying around cybersecurity circles at the turn of the year about a vulnerability affecting computers running Intel chips. As Forbes reported earlier today, some feared the issue would leave millions on millions of computers vulnerable to snooping, whilst others fretted the fix would slow down PCs dramatically, due to the dramatic changes required to fix the problem. And now researchers have revealed it could really be as widespread and severe as feared.

Dubbed Meltdown, the flaw allowed a hacker to read information from applications' memory at the kernel level, a space deep down in the operating system that's core to the functioning of everything on a computer. Passwords, photos, documents and other sensitive data could all be read by an attacker exploiting Meltdown, the researchers warned on a website and in a whitepaper Wednesday.  They noted that "virtually every user of a personal computer" in the world was affected either by Meltdown or a related issue they named Spectre, and that the entire memory contents of a vulnerable PC could be surveilled.

If a computer is run by any Intel processor from 1995 onwards, bar Itanium and Atom chips manufactured before 2013, it's likely vulnerable, the researchers warned. And, crucially, cloud environments are also affected, as the flaw could be abused by an attacker to read memory of a virtual machine without any permissions or privileges.

Software updates are expected to land over the next week to defang the issue and users have been advised to update as soon as possible.

What's the problem?

Typically computers should separate one application from reading information passing through the kernel. But with Meltdown, that isolation is broken, so one program can read another's memory in the kernel without permission. As the researchers noted: "The bug basically melts security boundaries which are normally enforced by the hardware."

The attack exploits the way in which Intel systems handle processes where the CPU cannot be certain whether an instruction will run or not, known as speculative execution. Typically, Intel will guess at the outcome of a process, run it to get ahead of the task and return to execute code when it's figured out what to do. During that process Intel didn't successfully separate low-permission applications from accessing kernel-level memory, meaning an attacker could use a malicious application to get at that private data that should've been segregated.

Earlier on Wednesday, Erik Bosman, from the Systems and Network Security Group at the Vrije Universiteit Amsterdam in the Netherlands, tweeted what appeared to be a proof of concept hack of the vulnerability, which had been reported on but was unconfirmed at the time.

Daniel Gruss, from the Graz University of Technology, was one of the researchers who uncovered the issue, alongside academic colleagues, Google Project Zero's Jann Horn and employees of German cybersecurity firm Cyberus Technology. He told Forbes that the researchers "only have proof-of-concept code for local attacks." That meant, in the real world, an attack would require the intruder to have found a way onto the computer first. A typical cyberattack, such as a phish that installs malware, would be a likely entry point, though it's unknown if any malicious individual has attempted to carry out the hack.

The researchers said they'd only successfully exploited Meltdown on Intel chips and were unsure if the attacks would work on AMD or ARM systems. A public ARM statement indicated the British company's chips were unaffected.

"Meltdown is so easy to exploit that we're expecting [it] to be the significant problem for the next weeks," said Gruss.

Intel responds

Intel issued a statement, in which it said that it wasn't possible to modify a vulnerable system, only spy on data, adding that media reports in the nature of the issue were inaccurate. In particular, it took umbrage with the claims that the exploits were caused by a "bug" or a "flaw" and were unique to Intel products. "Intel has begun providing software and firmware updates to mitigate these exploits," the company said, noting it was working with AMD, ARM and operating system manufacturers to prevent attacks.

"Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports." It recommended downloading any available updates as soon as they are available.

Microsoft said it was in the process of deploying fixes to its cloud services and was releasing security updates today to protect Windows customers, whilst Apple hadn't responded to Forbes' request for a response. The researchers said both companies were supplying updates for Windows and Mac OS. The academics, who'd developed a fix called KAISER, also noted fixes for Linux computers were ready. And Amazon Web Services posted an advisory for its cloud customers. 

Performance problems?

Intel also denied claims that performance of Intel-based computers would be significantly affected by Meltdown. One report had claimed the degradation could cause a slowdown of between 5% and 30% of typical performance. "Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time," the company said.

Gruss said he was unsure about the potential impact on performance, telling Forbes it depended on many factors, from the processor architecture to the use case. He did agree with Intel, however, that regular computer users wouldn't be affected much by the slow down. But, he added, "unusual workloads" on older computers could be up to 50% slower.

A Spectre looms

Meltdown wasn't the only problem uncovered by the researchers, however. They detailed a related issue dubbed Spectre, which they believe is harder to address than Meltdown and for which there aren't yet patches available. As noted in a whitepaper, which contains the full technical details, Spectre attacks induce a victim application to carry out the speculative execution "that would not occur during correct program execution and which leak the victim’s confidential information via a side channel to the adversary." Google's Jann Horn has also released his full analysis of Meltdown and Spectre.

Worryingly, it's not just Intel systems that are affected by Spectre, but computers running AMD and ARM too, the researchers claimed. That would amount to not millions, but billions of machines, they added. For instance, Gruss said Spectre attacks on AMD-based machines worked "super-reliably."

A spokesperson from AMD, however, noted that it had been contacted by Google about the issues, but that "based on the findings to date and the differences in AMD processor architecture, we believe there is near zero risk to AMD products at this time." It noted that the problems would be addressed by software and operating system updates.

ARM, meanwhile, said it was in the process of informing its partners and encouraging them to deploy the mitigations it had developed if their chips are impacted. "At this site - https://developer.arm.com/support/security-update - you can find more technical information, including the ARM cores impacted and details on how to get the software mitigations," a spokesperson said.

Spectre may also work better in exploiting cloud systems, according to Gruss. He noted that Spectre can trick a hypervisor - the software that manages virtual machines in a cloud - into leaking secrets to a guest. And, whilst he said it was not as easy to execute as Meltdown, he believes a hack can run in JavaScript. "This means that you would only have to navigate to an attacker-controlled website," he added.

For a less technical description, Gruss explained: "Think of a Star Wars movie where someone wants to steal money. Spectre is like a Jedi mind trick: you make someone else give you their money, this happens so quick that they don't realize what they're doing.

"Meltdown just grabs the money very quickly like a pickpocket. The Jedi mind trick is of course more difficult to do, but also harder to mitigate."

Got a tip? Get me on Signal on +447837496820 or use SecureDrop to tip anyone at ForbesEmail at TBrewster@forbes.com or tbthomasbrewster@gmail.com for PGP mail.

I cover security and privacy for Forbes. I’ve been breaking news and writing features on these topics for major publications since 2010. As a freelancer, I worked for Th...

#####EOF##### Exclusive: Hackers Take Control Of Giant Construction Cranes
40,321 views

Exclusive: Hackers Take Control Of Giant Construction Cranes

Federico Maggi will never forget the first time he saw a crane being hacked.

Last March, he was on a strange kind of road trip. Travelling the Lombardi region of Italy with his colleague Marco Balduzzi in a red Volkswagen Polo, the pair hoped to convince construction site managers, who they’d never met or spoken with before, to let them have a crack at taking control of cranes with their hacking tools.

Surprise, surprise: They weren’t having much luck. But one such manager, who Maggi fondly remembers as Matteo, was game. Armed with laptops powered by the VW’s battery, scripts for running their hacks and some radio hardware to beam out the exploit code, Maggi and Balduzzi got to work.

Matteo was asked to turn off his transmitter, the only one on-site capable of controlling the crane, and put the vehicle into a “stop” state. The hackers ran their script. Seconds later, a harsh beeping announced the crane was about to move. And then it did, shifting from side to side. Looking up at the mechanism below a wide blue sky, Matteo was at first confused.

“I remember him looking up and asking, ‘Who is doing that ?’ Then he realized the test was successful,” Maggi recalls.

Matteo’s crane was just the start. Over the coming days and weeks, the researchers, who ply their trade at Japanese cybersecurity giant Trend Micro, became professional “crane spotters.” Able to detect potentially vulnerable machines on site, they embarked on an unprecedented hacking trip.

They cajoled their way into 14 locations where they were allowed to hack into devices that not only controlled cranes but excavators, scrapers and other large machinery. In every case, their preprepared attack code worked.

It soon became obvious: Cranes were hopelessly vulnerable. And, unless the manufacturers behind the tools could be convinced to secure their kit, the potential for catastrophic damage was very real. The consequences ranged “from theft and extortion to sabotage and injury,” the researchers wrote in a paper handed to Forbes exclusively ahead of publication on Tuesday.

The attacks are simple, cheap and open to any person willing to risk launching them, warns Mark Nunnikhoven, VP for cloud security at Trend Micro. “Anyone in range can manipulate these devices.”

Attack of the cranes

In layman’s terms, Maggi and Balduzzi were doing something akin to cloning the transmitter typically used by site managers like Matteo.

But it’s a little more complex than that. The vulberabilities uncovered by Trend Micro’s research team lay not in the vehicles themselves but in the communications between the controllers and the cranes. The benevolent hackers had to reverse engineer those communications coming from the radio frequency (RF) controller. They then had to find ways of copying commands, which came in their own supposedly unique formats, full of quirks the researchers had to figure out.

They discovered that the data packets containing commands were often transported over the airwaves with little to no security. Where there was basic encoding or encryption of commands, it still didn’t prevent the hackers from replicating commands using a software-defined radio (think of a computer program that acts like a radio running over whatever bandwidth the user sets). “In comparison, consumer-level remote controllers for car or door locks tend to be more secure,” the researchers wrote in their paper.

Initial testing was carried out on a toy crane in the office. In a lighthearted joke at the potential for damage in the real world, a lonesome-looking teddybear was swiped off of his stool by the miniature arm.

uncaptioned image

Construction sites across the world are at risk of being shut down and extorted by hackers, cybersecurity researchers Federico Maggi and Marco Balduzzi warned. They hacked into real life cranes across sites in Italy.Federico Maggi

They then moved on to Matteo and real building sites. Maggi could either rely on his ability to spot a vulnerable crane controller and quickly launch attacks, or he could “sniff” the traffic passing over various radio frequencies. In a couple of hours, it was possible to determine what devices were in use and whether they could be manipulated or not.

Five different kinds of attack were tested. They included: a replay attack, command injection, e-stop abuse, malicious re-pairing and malicious reprogramming. The replay attack sees the attackers simply record commands and send them again when they want. Command injection sees the hacker intercept and modify a command. E-stop abuse brings about an emergency stop, while malicious re-pairing sees a cloned controller take over the functions of the legitimate one. And malicious reprogramming places a permanent vulnerability at the heart of the controller so it can always be manipulated.

So straighforward were the first four types of attack, they could be carried out within minutes on a construction site and with minimal cost. The hackers only required PCs, the (free) code and RF equipment costing anywhere between $100 and $500. To deal with some of the idiosyncracies of the building site tech, they developed their own bespoke hardware and software to streamline the attacks, called RFQuack.

It might seem like Maggi and Balduzzi had it too easy. But they did encounter one problem, that of energy. Such was the power drain on the little red Polo, with the radio hardware and laptops sucking up the battery, it had to be towed at the end of one day of testing. Maggi had to buy a new battery too.

Raise your crane game

On the one hand, attacks by hackers with real malicious motivations could lead to injury or worse. On the other, there’s the risk of theft of expensive vehicles or serious financial damage for construction companies. Imagine cybercriminals had commandeered a fleet of cranes and demanded a ransom to release them. Those lost days, not to mention the payment, could lead to major losses.

The industry is now being urged to build more robust systems. Amongst the seven vendors whose kit was exploited by Trend’s researchers were Saga, CircuitDesig, Juuko, Autec, Hetronic, Elca and Telecrane. Not one had responded to requests for comment at the time of publication.

But fixes have been rolling out over the last year. U.S.-government-funded Computer Emergency Response Teams worked with Trend to alert manufacturers and roll out either patches or workarounds.

For some of the vendors, the very idea of patching systems was new. “Some vendors have released firmware with version 0.00A, which means it’s the very first update they’ve released in their lives,” said Maggi.

There remain, however, some flaws left open. Two vulnerabilities affecting Juuko controllers, for instance, have not been addressed. They leave open the possibility of replay and command injection hacks. They’ve been left as so-called “zero-days”—previously unknown and unpatched weaknesses. (Juuko contacted Forbes after publication to state that it had updated its firmware that could prevent attacks. It sent the software to Trend Micro's bug disclosure program, ZDI)

To truly fix the problem across the industry, it would be wise to move away from the esoteric custom protocols currently in use, says Nunnikhoven. Instead, modern, standardized tech would leave it more open to research and, therefore, fixes, Nunnikhoven added.

For now, the next time you see a crane swinging around your city or town, you’ll have to wonder: Who’s in control?

Got a tip? Get me on Signal on +447837496820 or use SecureDrop to tip anyone at ForbesEmail at TBrewster@forbes.com or tbthomasbrewster@gmail.com for PGP mail.

I cover security and privacy for Forbes. I’ve been breaking news and writing features on these topics for major publications since 2010. As a freelancer, I worked for Th...

#####EOF##### GitHub's Brand Campaign Highlights Black Female Founders In An Optimistic Look At Technology
1,469 views

GitHub's Brand Campaign Highlights Black Female Founders In An Optimistic Look At Technology

Tiffani Ashley Bell, Founder, The Human Utility and Jamica “Afrodjiak” El, Creative Technologist

Slow Clap Productions for GitHub

For many of us, technology has become a dirty word. When it doesn't set off mass panic around privacy or inadvertently support Russian espionage, it highlights a disconnect between tech’s culture of solving first-world problems (like on-demand, smart everything) and the problems real Americans face. But solutions to real-world problems -- like access to clean, running water or safely resisting police brutality -- are still being surfaced and solved through GitHub’s open source community of 25 million developers globally. That’s why GitHub brand marketer Leah Clark is bringing some of those stories to light with the Build The Future campaign.

“The software development industry is full of brilliant people. Imagine what the future will look like if the focus is on building based on passion and solving real problems, not simply the bottom line. Open source technology is where the future is actively being built and through the connections and collaboration it enables, more and more people are able to participate. It's no longer about waiting for some larger entity to determine the path forward or waiting until you have all the answers—we want everyone to have access to the tools and education needed to drive change.”

The campaign tells the stories of four creators that used GitHub’s platform and open source community to build something remarkable. And through these stories, we see a more optimistic side of technology: the valiance of open source communities that freely invest their time in making the world a better place. In a time when the world seems divided, Build The Future reminds us that people are coming together to change the world one line of code at a time.

While all of the stories are powerfully captured, it is the stories of Tiffani Ashley Bell and Jamica "Afrodjiak" El -- two black women who are using open source technology to support their communities -- that profoundly inspire. In a time when women, especially women of color, are marginalized, these two women show us how they use technology to make meaningful change.

After reading a story about water being shut off for 100,000 people in Detroit, Tiffani Ashley Bell started The Human Utility Project. She and her co-founder built a site on GitHub to connect donors to aging and impoverished people who were facing huge water bills they couldn’t afford. Her video tells us to, “start really small with whatever you can. If you make an impact the whole thing will blow up from there.” And watching the faces of the people she has impacted, it’s clear how true this is. Since she launched the program, she has received philanthropic funding from Y Combinator and expanded her advocacy efforts to Baltimore.

Jamica “Afrodjiak” El is a DJ and Apple Genius turned hardware engineer whose love of turntables led her to soldering. As a creative technologist living in Oakland, where police brutality against black communities has been widely documented, Jamica was deeply struck by Sandra Bland’s death and wanted to create a way for people to safely capture and share their own stories. Jamica noticed that cameras and phones often escalate reactions during protests or demonstrations, so she got to work creating small, wearable cameras that can be sewn into clothing. “When we see social issues in the world, we all mobilize in different ways,” Jamica shares in her video. “For me, it was creating a tool for storytelling and hope that people use it in a way that impacts the community.”

This grassroots, start-where-you-are message is core to GitHub’s brand as an open source community. It harkens to a time in Internet culture where people threw themselves into problem-solving for the sheer joy of making an impact. And it reminds us that this is still very much accessible. “You don’t have to sit down and say, ‘Today I will solve the cure for cancer,’” Clark shares. “You can start with something really small, connect it to something bigger and see the amazing things that come from that. Things you would never imagine with your first idea.”

Reflecting on this work, GitHub reminds us that great things can come from simple ideas and humble beginnings. We don’t have to change the world all by ourselves. The power of the platform, of open source -- and of the Internet -- comes from the community as a whole. There’s something truly hopeful about realizing that people are in fact working to make the world better. And that we’re all in this together.

Leah Clark, GitHub Brand Marketing

Courtesy of GitHub

 

Emily Joffrion works with companies who believe in building their brand by developing women to share their own stories. She covers the pivotal, often invisible, work women do in technology.

I am a brand and communications consultant who has spent the last decade working with startups in San Francisco, New York, Portland, and New Orleans, most notably Airbnb...

#####EOF##### Amazon To Become #1 In Cloud-Computing Revenue By Beating IBM's $17 Billion
20,508 views

Amazon To Become #1 In Cloud-Computing Revenue By Beating IBM's $17 Billion

As it closes in on $20 billion in annual revenue, Amazon's cloud-computing unit, Amazon Web Services, has begun boosting its brand via TV ads with the theme "Build On."

amazon.com

(Note: After an award-winning career in the media business covering the tech industry, Bob Evans was VP of Strategic Communications at SAP in 2011, and Chief Communications Officer at Oracle from 2012 to 2016. He now runs his own firm, Evans Strategic Communications LLC.)

CLOUD WARS -- Exactly six months ago, the tech industry was stunned to learn that IBM was beating Amazon in cloud revenue for the trailing 12 months, $15.1 billion to $14.5 billion.

And just last week, IBM posted robust cloud-revenue growth for calendar 2017 of $17 billion, up 24%, with even stronger cloud growth in the fourth quarter with $5.5 billion in cloud revenue, up 30%.

Those numbers fly in the face of the predominant narrative among many in the media and a surprisingly high number of analysts who perpetuate the facile but false story that Amazon is the runaway king of cloud computing with revenue and market share far greater than anyone else in the field.

But as hugely successful as Amazon's Web Services unit has been—and its track record is undeniably impressive, particularly as AWS provides the overwhelming majority of the profits for the parent company—it has by no means been the runaway winner in the Cloud Wars.

As noted above, IBM has exceeded or matched Amazon in cloud-computing revenue throughout the year, and Microsoft is very likely right in line with or slightly ahead of the cloud numbers from IBM and Amazon.

With regard to Microsoft, it's hard to be precise because, unlike IBM and Amazon, Microsoft does not offer a trailing 3-month or 12-month revenue figure for its commercial cloud business, but instead provides only a forward-looking annualized run-rate for the coming 12 months based on the final month of the quarter it's reporting.

For Microsoft's Q3 ended Sept. 30, that forward-looking cloud ARR figure was $20.4 billion. Microsoft compiled that number by taking the commercial-cloud revenue it posted for the month of September and multiplying that monthly figure by 12 to project a forward-looking annualized run rate.

Based on that 12-month projection of $20.4 billion, Microsoft's commercial-cloud revenue for the month of September was $1.7 billion. Microsoft will report its earnings for its fiscal Q2 on Wed., Jan. 31.

So why do I believe Amazon will overtake IBM in cloud revenue for calendar 2017 when Amazon releases Q4 and full-year financials on Thurs., Feb. 1? Here's how the numbers break out:

  • IBM reported cloud revenue for 2017 of $17 billion, up 24%.
  • For its first three quarters of 2017, Amazon has posted cloud revenue of $12.34 billion: in Q1, $3.661 billion; Q2, $4.100 billion; and Q3, $4.584 billion.
  • To match IBM's full-year cloud revenue of $17 billion, Amazon will need to generate $4.655 billion for Q4. A year ago, in Q4 2016, the AWS unit posted revenue of $3.536 billion, which means AWS cloud revenue for 2017's Q4 must grow by $1.02 billion (about 28.9%) to reach that IBM-tying mark of $4.655 billion.

Is it likely Amazon's cloud unit will achieve 29% growth in Q4? I believe it's not only likely but almost certain because while the AWS rate of growth slowed for 8 straight quarters, its stellar growth performance in Q3—up 42%—broke that string and demonstrated that Amazon's cloud business might still have a couple of quarters of hypergrowth ahead of it before the much-tougher compare numbers kick in.

Plus, the overall economy did quite well in Q4, and in such an environment it's very likely that tens of thousands of businesses tapped in to the Amazon cloud to support new growth and opportunities.

There's no shame for IBM in handing over the #1 spot in cloud-computing revenue to Amazon—or, for that matter, to Microsoft. Both of those Seattle companies have become synonymous with the cloud, and deservedly so.

But this horserace also shows that it's high time that IBM receives the recognition it has earned as not just a player in the cloud, but as one of the world's top three cloud-computing leaders.

IBM's achievements during its top-to-bottom transformation have been nothing short of extraordinary, and its accelerating growth trajectory in the cloud points to even more business value and innovation for the biggest winners in the Cloud Wars: the business customers who are benefitting from the intense competition among the cloud vendors.

As businesses jump to the cloud to accelerate innovation and engage more intimately with customers, my Cloud Wars series analyze the major cloud vendors from the perspective of business customers.

I've analyzed and written about the enterprise-tech business for more than 20 years from the media side as an editor-in-chief and chief content officer, and more recentl...

#####EOF##### Equifax Does More Than Credit Scores
3,343 views

Equifax Does More Than Credit Scores

By Jeff Pollard and Joseph Blankenship

Forrester’s first-ever Privacy & Security Forum will be held next week in Washington D.C. To learn more about the Forum and to register, visit Forrester’s Privacy & Security 2017 Forum page.

Equifax announced a cybersecurity incident potentially impacting 143 million U.S. consumers. Our reaction to the breach was like what we imagine many people went through: Were we affected? What about our spouses and other immediate family members? Better keep an eye on the old credit report or initiate a credit freeze. Since Forrester offers credit monitoring as an employee benefit, and both authors enrolled, one of those is covered. And that all makes sense – Equifax is known to most consumers as a credit reporting agency.

But that isn’t all that Equifax does. Let’s look at the available products from Equifax targeted for consumers – credit monitoring, identity protection assistance, and credit score/credit report products There are three major product lines that are, not surprisingly, focused on credit monitoring and identity theft. And then there is Equifax for business use: Welcome to an entirely different kind of company. Equifax lists 57 different offerings for businesses, starting with the letter A and ending with the letter V. Everything from Auto Insights for Car Dealers, to Visualization tools is in there.

So why does Equifax for Business matter? Equifax collects information about you. You may not know it does, but it does. Even if you aren’t in the population of breached users, they know you. You don’t know what they know about you, and you have no way to find out in normal circumstances. This breach might actually – in a strange twist – provide you insight into what Equifax knows about you, and what it does with that information. Here’s why:

  • Equifax is a large-scale data aggregator, data broker, and analytics firm.They collect, analyze, and derive insights from data – its own data, and data it collects and purchases from other data aggregators.
  • Right now we don’t know what exactly what information was breached.Information that Equifax aggregated together could also be included.
  • We need more transparency before we understand the full extent of the breach. That will tell us how far beyond basic personal data it might go.

Don’t Assume Cybercrime

An automatic assumption is that Equifax was breached by cybercriminals, looking to gain access to information to steal identities and commit credit card fraud. That’s an excellent initial thought process given what we’ve experienced in the past – but here are a couple of “what if” scenarios:

  • The whale: The information is used to impersonate executives of firms to have employees wire large sums of money to fraudulent accounts internationally. Having so many details about a person makes impersonating them easier. Suddenly, personal credit fraud can go upscale to financial fraud. These attacks have already happened multiple times over the last few years.
  • The spy: The information allows someone to steal an identity. Identity is used when someone registers to vote. There is confirmed evidence of foreign entities attempting to influence the US election in 2016. Using this information – along with other hacks at different spots in our election process – a Nation State could attempt to disrupt the 2018 or 2020 election. For an example of a similar, but different, situation that illustrates this could occur consider the OPM breach which led to decreased intelligence collection capabilities of US intelligence agencies after the breach.

Playing a game of “what if” has value – it makes sure we don’t treat our assumptions as certainties. So what should security and risk professionals do? There are two areas to evaluate – what might happen personally, and what might happen professionally.

To protect yourself:

  • Assume you are compromised.The breadth and depth of this breach, along with all the other breaches that have occurred, makes it safe to assume that your personal information is in the hands of people who will use it for nefarious purposes. Act accordingly.
  • Use credit monitoring – but not what Equifax offered.Go to a competitor of theirs, sign up through your employer if it’s open enrollment for benefits, through your credit card company, or even an alumni offering.
  • Think about establishing a credit freeze.But make sure to do it through all 3 credit bureaus, and remember that freezing might have costs depending on your state.
  • If your passwords or security questions use ANY personal information (addresses, schools, oldcar makes and models, etc.) change them right away.It’s possible someone that wants to pretend to be you to steal things knows quite a lot about you now.
  • We need to demand control over our information. The 21st century needs a Data Bill of Rights. GDPR is a decent start, but it doesn’t go far enough. Individuals need transparency about data collection and use. More importantly we need the right to say no to companies that want to collect our data if we don’t like the extent of the collection or how it might be used. We should also have the right to say that certain companies can never have our data again, there should be repercussions for violating our trust – and their responsibility to protect our information.

To protect your firm:

Until we know more, we have to think that it’s going to be remarkably easy to impersonate…well, anyone. The initial numbers stated that 44% of the US is affected. But 22.8% of the US is under 18 per the Census Bureau. Therefore 56% of all US adults might be affected by this.

  • Lock down your financial transfer processes. Make sure to include separation of duties and multi-factor authentication and authorization before paying anything.
  • Remain vigilant against phishing emails. Increase end user training to help users spot them, and explain the significance of social media risks to employees as well.
  • Deploy managed detection & response services. Work with providers that perform proactive threat hunting to identify threats as early as possible.
  • Invest in security analytics. Analytics will help identify anomalous behavior before signatures will.
  • Web application security is cool again.Our surveys indicate that 34% of data breaches were the result of web application attacks. Bake web application testing into your SDLC.
  • Review your incident response plan, including your public notification plan.What’s worse than a data breach? Responding to a data breach poorly. Practice via simulations.

Forrester’s first-ever Privacy & Security Forum will be held next week in Washington D.C. To learn more about the Forum and to register, visit Forrester’s Privacy & Security 2017 Forum page.

Forrester (Nasdaq: FORR) is one of the most influential research and advisory firms in the world. We work with business and technology leaders to develop customer-obsess...

#####EOF##### GitHub on the Forbes Cloud 100 List

#28 GitHub

#28 GitHub

IndustryBusiness Services & Supplies
Founded2008
CountryUnited States
CEOChris Wanstrath
Employees650
HeadquartersSan Francisco, California
As of Jul 11, 2017
With a community of over 22 million developers collaborating on more than 60 million projects, GitHub likes to think of itself as the Facebook for developers. GitHub remains the most famous repository for sharing code, from individual enthusiasts all the way up to General Electric. Even NASA made the source code that took Apollo 11 to the moon available on GitHub in late 2015.
On forbes lists
#28
Cloud 100 2017Dropped off in 2018
    Related
    GitHub In The News
    3,043 views  |  
    Jan 16, 2019
    Open Source Software At A Crossroads
    Software is eating the world, and in 2018 open source has eaten software. It has been a landmark year for users, enterprises and investors alike—but has it also included the seeds for a potential slowing down of open source investment, and of perhaps even usage?
    2,160 views  |  
    Nov 1, 2018
    Kubernetes: Evolution Of An IT Revolution
    Kubernetes, an open-source project from Google, has taken the IT world by storm. But what does its rapid growth tell this industry insider about its actual footprint, and, more importantly, the evolution of its usage model in enterprises?
    220 views  |  
    2 hours ago
    Blockchain - Africa Rising
    The Fourth Industrial Revolution and the effects of distributed ledger technology on the development of Sub-Saharan African.
    59 views  |  
    5 hours ago
    Zero Waste: Z5 Inventory For Healthcare
    Last month I wrote a tiny rant about health insurance here, and ironically, I heard about Carl Natenstedt the same week. Carl is CEO of Z5 Inventory, founded and headquartered in Austin, TX.
    609 views  |  
    19 hours ago
    Of Course Women Are 'IT Geeks', Now More Than Ever
    This March marked International Women’s Day with nations globally celebrating. But when it comes to tech are women increasingly exhibiting their “IT geek” and showing a growing influence and being helped to code faster with US firms like Quick Base supporting them to lead the low/no-code movement?
    More Articles
    #####EOF##### Blockchain: Back To The Drawing Board?
    18,621 views

    Blockchain: Back To The Drawing Board?

    Getty

    Over recent years, blockchain has been hyped as one of the most important developments for carrying out failsafe transactions of just about any kind. Based on the concept of a distributed ledger of transactions where every modification is logged and timestamped using a cryptographic proof of work, the original paper by Satoshi Nakamoto (whoever he, she or they is/are) was elevated to the status of a latter-day incunabula, seen by many as the perfect solution, mathematically and computationally elegant.

    Overnight, blockchain became the new mantra, beyond question, the universal solution. But… what if it wasn’t? What if, as on so many other occasions, a promising technology follows the familiar pattern of the hype cycle and, after scaling the peak of inflated expectations, it turns out that it falls into the trough of disillusionment? In other words, it fails the mass adoption test. Can we question blockchain without fear of looking ignorant or a technophobe?

    Vint Cerf’s July 2018 tweet with its simple flow diagram showing that nobody needs blockchain should prompt some serious reflection, and not just about the fallacy of argument from authority. Vint was merely raising concerns that he had been analyzing for quite some time.

    On February 6, another legendary figure, in this case in the field of cybersecurity, Bruce Schneier, published an article in Wired entitled “There is no good reason to trust blockchain technology”, which went into much more detail than Vint, with a much clearer separation between the technological foundation as such, blockchain, and some of its specific implementations such as bitcoin. According to Schneier, the idea of trust in a blockchain was not as crystal clear as some argued, while the consensus algorithm was definitely the most expensive and inefficient ever seen.

    Indeed, the uses of public blockchains so far have led to energy aberrations like the one underlying the speculative explosions in popularity of cryptocurrencies, where practically the only hopeful scenario relates to Vitalik Buterin and the possibility — or better, the need — to reduce the energy consumption of transactional mechanisms of Ethereum by no less than 99%. But beyond energy consumption, which in itself would already be a major brake on mass adoption, it turns out that, in addition, Schneier is right about the trust mechanism, and statements along the lines of “in crypto we trust”, “in math we trust” or, “in code we trust,” which all sound very nice, but behind which lie an obvious reality: blockchains, like everything else in the world, have vulnerabilities that can be exploited.

    The result of this progressive questioning is evident: in the analysts’ lists of the technological trends of 2019, blockchain is conspicuous by its absence. That said, analysts are not infallible and technology is not a hit parade. At the same time, this is the first time blockchain has been seriously questioned in its short life. We are now moving from questions based on “I do not understand”, to “I understand it and I’m not interested”, either because it’s expensive, it’s highly inefficient or because the trust aspect isn’t secure.

    Do such problems require an amendment to the whole? Perhaps not: many aspects, such as the distribution of the ledger, the cryptographic proof of work or the concept of consensus itself, could be developed for future use. But in its current state, everything indicates that blockchain technology is probably not ready for mass adoption and that pushing ahead with that goal could have unintended, if not irresponsible, consequences. In short, a brilliant paper with an unclear origin is not necessarily enough to set in motion a process that changes the world as we know it.

    From being one of the technologies considered key for the future and the apparently natural and definitive solution for all transactional systems, blockchain is entering a new phase, the trough of disillusionment, and from which it may never emerge. Some companies that were considering launching developments based on this technology are rethinking them, while the disproportionate initial interest is cooling, and growing numbers of people are now aware that blockchain technology probably needs to be taken back to the drawing board.

    Enrique Dans, Ph.D.

    Teaching Innovation at IE Business School since 1990, and now, hacking education as Senior Advisor for Digital Transformation at IE University. BSc (Universidade de Sant...

    #####EOF##### How Blockchain Will Transform The Supply Chain And Logistics Industry
    106,330 views

    How Blockchain Will Transform The Supply Chain And Logistics Industry

    Managing today’s supply chains—all the links to creating and distributing goods—is extraordinarily complex. Depending on the product, the supply chain can span over hundreds of stages, multiple geographical (international) locations, a multitude of invoices and payments, have several individuals and entities involved, and extend over months of time. Due to the complexity and lack of transparency of our current supply chains, there is interest in how blockchains might transform the supply chain and logistics industry.

    Adobe Stock

    Adobe Stock

    Let’s look at what is broken, how the unique attributes of blockchain could help and look at a few examples of blockchain already impacting supply chains.

    How is the supply chain broken?

    Our current supply chain is broken in several ways. Over a hundred years ago, supply chains were relatively simple because commerce was local, but they have grown incredibly complex. Throughout the history of supply chains there have been innovations such as the shift to haul freight via trucks rather than rail or the emergence of personal computers in the 1980s that led to dramatic shifts in supply chain management. Since manufacturing has been globalized, and a large portion of it is done in China, our supply chains are heavy with their own complexity.

    It’s incredibly difficult for customers or buyers to truly know the value of products because there is a significant lack of transparency in our current system. In a similar way, it’s extremely difficult to investigate supply chains when there is suspicion of illegal or unethical practices. They can also be highly inefficient as vendors and suppliers try to connect the dots on who needs what, when and how.

    What is blockchain and how could it help supply chains?

    While the most prominent use of blockchain is in the cryptocurrency, Bitcoin, the reality is that blockchain—essentially a distributed, digital ledger—has many applications and can be used for any exchange, agreements/contracts, tracking and, of course, payment. Since every transaction is recorded on a block and across multiple copies of the ledger that are distributed over many nodes (computers), it is highly transparent. It’s also highly secure since every block links to the one before it and after it. There is not one central authority over the blockchain, and it’s extremely efficient and scalable. Ultimately, blockchain can increase the efficiency and transparency of supply chains and positively impact everything from warehousing to delivery to payment. Chain of command is essential for many things, and blockchain has the chain of command built in.

    The very things that are necessary for reliability and integrity in a supply chain are provided by blockchain. Blockchain provides consensus—there is no dispute in the chain regarding transactions because all entities on the chain have the same version of the ledger. Everyone on the blockchain can see the chain of ownership for an asset on the blockchain. Records on the blockchain cannot be erased which is important for a transparent supply chain.

    Examples of blockchain being used in supply chains today

    Since blockchains allow for transfer of funds anywhere in the world without the use of a traditional bank, it’s very convenient for a supply chain that is globalized. That’s exactly how Australian vehicle manufacturer Tomcar pays its suppliers—through Bitcoin.

    In the food industry, it’s imperative to have solid records to trace each product to its source. So, Walmart uses blockchain to keep track of its pork it sources from China and the blockchain records where each piece of meat came from, processed, stored and its sell-by-date. Unilever, Nestle, Tyson and Dole also use blockchain for similar purposes.

    BHP Billiton, the world’s largest mining firm, announced it will use blockchain to better track and record data throughout the mining process with its vendors. Not only will it increase efficiency internally, but it allows the company to have more effective communication with its partners.

    The transparency of blockchain is also crucial to allow consumers to know they are supporting companies who they share the same values of environmental stewardship and sustainable manufacturing. This is what the project Provenance hopes to provide with its blockchain record of transparency.

    Diamond-giant De Beers uses blockchain technology to track stones from the point they are minded right up to the point when they are sold to consumers. This ensures the company avoids ‘conflict’ or ‘blood diamonds’ and assures the consumers that they are buying the genuine article.

    There are several supply chain startups such as Cloud Logistics who saw an opportunity to provide blockchain-enabled supply chain solutions to improve efficiencies and reduce costs for the massive supply chain industry. More will most certainly join them as they realize the potential and demand for blockchain-enabled solutions to transform the supply chain and logistics industry.

    Bernard Marr is an internationally best-selling author, popular keynote speaker, futurist, and a strategic business & technology advisor to governments and companies...

    #####EOF##### Mysterious $15,000 'GrayKey' Promises To Unlock iPhone X For The Feds
    53,874 views

    Mysterious $15,000 'GrayKey' Promises To Unlock iPhone X For The Feds

    Apple's iPhone X may have a weakness being exploited by two separate government contractors. (Photo by Chesnot/Getty Images)

    Just a week after Forbes reported on the claim of Israeli U.S. government manufacturer Cellebrite that it could unlock the latest Apple iPhone models, another service has emerged promising much the same. Except this time it comes from an unkown entity, an obscure American startup named Grayshift, which appears to be run by long-time U.S. intelligence agency contractors and an ex-Apple security engineer.

    In recent weeks, its marketing materials have been disseminated around private online police and forensics groups, offering a $15,000 iPhone unlock tool named GrayKey, which permits 300 uses. That's for the online mode that requires constant connectivity at the customer end, whilst an offline version costs $30,000. The latter comes with unlimited uses.

    Another ad showed Grayshift claiming to be able to unlock iPhones running iOS 10 and 11, with iOS 9 support coming soon. It also claims to work on the latest Apple hardware, up to the iPhone 8 and X models released just last year. In a post from one private Google group, handed to Forbes by a source who asked to remain anonymous, the writer indicated they'd been demoed the technology and that it had opened an iPhone X.

    An offer of iPhone and iPad exploits is circulating forensics communities from an enigmatic entity called Grayshift.

    Forbes

    The marketing doesn't reveal just what iOS vulnerabilities GrayKey exploits to unlock iPhones. It claims GrayKey works on disabled iPhones and can extract the full file system from the Apple device, and indicates the tool would make repeated guesses at passcodes, a technique known as brute forcing, to first get into the device.

    According to Ryan Duff, director of cyber solutions at Point3 Security, it appeared Grayshift had access to similar exploits as Cellebrite, namely a probable hack that targets Apple's Secure Enclave, the isolated chip in iPhones that handles encryption keys. The Secure Enclave makes it especially time-consuming to carry out brute forcing by incrementally increasing the time between guesses, up to an hour for the ninth attempt onwards. But if it can be broken, the speed to guessing the right password can be improved.

    "Without breaking the encryption, you will always be forced into a brute force situation," explained Duff. "That doesn't mean they are using the exact same exploit that Cellebrite is using. It's possible they are different. But the process post-exploitation is almost certainly the same."

    Apple declined to comment on Grayshift's claims. But it typically recommends users take advantage of iOS updates as they will contain fixes for the latest vulnerabilities.

    Those patches may not be too far off, said Duff. That's because of Grayshift's apparent business model, which differs from Cellebrite in that the latter is asking law enforcement to send in devices to its labs. As Grayshift is putting its exploits in software, it could be possible for security researchers or Apple engineers to get hold of the GrayKey and determine what vulnerabilties it uses. "This will almost certainly lead to the exploit being burned," added Duff, a former cyber operations tactician at the U.S. Cyber Command. "Someone, maybe even Apple, will eventually get a hold of one of these devices and will examine how it works. If it's a non-Apple researcher, they will be able to report the bug to Apple and make $100,000 to $200,000 from their bug bounty program depending on how the exploit works."

    Forbes made multiple attempts to contact Grayshift, but had received no response at the time of publication. Its website, which contains little more than a logo and the tagline "the state of the art has a new requirement," asks for a login to learn more.

    In the wake of San Bernadino

    Forbes has not been able to verify the company's claims and given it's a new, unproven entity, it's hard to say how far the marketing material should be trusted. But, whilst there's very little information about Grayshift online, Forbes has unearthed some tantalizing tidbits, pointing to a legitimate company with plenty of experience in its field.

    According to LinkedIn profiles, the company was co-founded in Atlanta, Georgia, back in September 2016 by David Miles, who previously worked at Endgame, a company that reportedly developed hacking tools for U.S. government agencies, including the NSA. The company's founding came in the wake of the battle between Apple and the FBI in San Bernardino, where the feds ordered the Cupertino giant to unlock the iPhone of terrorist shooter Syed Rizwan Farook, a request the iDevice manufacturer vehemently protested. The FBI eventually paid an unknown contractor in the region of $1 million to hack into the device.

    One source told Forbes Grayshift also counted amongst its ranks former staff of cybersecurity firm Optiv, where Miles worked prior to co-founding Grayshift. Two cybersecurity industry sources with knowledge of the company claimed Optiv had previously developed so-called zero-day exploits for the U.S. government, where programs hack into systems via previously-unkown software vulnerabilties for the sake of finding out information from target devices, a business practice that had been alluded to in a 2013 Rolling Stone report, back when the company was called Accuvant.

    And, the sources added, Optiv had a specialty in iOS hacks. (Optiv hadn't responded to requests for comment at the time of publication). Indeed, two former employees from Optiv are listed on LinkedIn as working at secret companies in Atlanta from September 2016, the same month Miles is listed as founding Grayshift. They include Justin Fisher, also previously of Endgame, and Braden Thomas, who'd previously worked at Apple for six years as a security engineer. Forbes also unearthed company records, showing both as "principals" at the firm, along with Miles. Principals are typically co-founders or executives, though Fisher's LinkedIn shows him as a senior researcher and Thomas as a security engineer. Neither Fisher nor Thomas had responded to messages at the time of publication.

    'Breaking the unbreakable'

    The company is due to show for a conference in Myrtle Beach, South Carolina, this June. A description on the Techno Security & Digital Forensics conference website indicated the company is a direct Cellebrite competitor, reading: "Grayshift is a cyber security firm built by experts in security research and access technology. Our focus is on building advanced capabilities to support local, state and federal government agencies for the purposes of accessing mobile platforms to enable digital forensic analysis."

    A price list for the obscure GrayKey tool is being passed around forensics pros. Can it do what it promises?

    Forbes

    Another blurb on 99Designs, where the company had its logo drawn up, was a little more revealing, indicating the company was providing services to private industry too. "We specialize in software vulnerability research.

    "Our research consultants employ an in-depth knowledge of the latest exploitation techniques and methodologies in order to triage, analyze and prioritize discovered vulnerabilities for remediation. Our typical customer base are large Fortune 500 organizations and also high tech companies requiring advanced security research consulting.

    "We know how to break things that are thought to be unbreakable."

    Multiple sources in the forensics industry confirmed they'd heard about Grayshift and were intrigued by its offerings. Italian forensics specialist Mattia Epifani noted that the GrayKey was cheaper than Cellebrite's offering, which costs around $1,500 per device, compared to Grayshift's 300 for $15,000. Vladimir Katalov, chief of Elcomsoft, a Russian competitor that does plenty of business in the U.S., said that if it really has found a way to force iPhones into a mode where passcode attempts are unlimited, "then hats off."

    "The only thing that worries me... it is not really good for the community that the vulnerability is 'private.' That creates the same problem as with 'backdoors for law enforcement,' [is] probably even worse. We can only guess how (and since when) they are being exploited by criminals," said Katalov. "The trend when critical vulnerabilities are being kept private and used by vendors providing the services to law enforcement is really a very bad idea." As the EFF said of the Cellebrite iPhone revelations, when vulnerabilities are kept secret, everyone is walking around with weaknesses in their devices that could be exploited by anyone, whether governments or criminals.

    Cellebrite doesn't agree with that line of thinking. In a recent interview with Forbes, chief marketing officer Jeremy Nazarian said it was necessary for the flaws to stay secret so the tools remained effective and law enforcement could gather evidence from devices.

    Got a tip? Get me on Signal on +447837496820 or use SecureDrop to tip anyone at ForbesEmail at TBrewster@forbes.com or tbthomasbrewster@gmail.com for PGP mail.

    I cover security and privacy for Forbes. I’ve been breaking news and writing features on these topics for major publications since 2010. As a freelancer, I worked for Th...

    #####EOF##### Exclusive: Hackers Take Control Of Giant Construction Cranes
    40,352 views

    Exclusive: Hackers Take Control Of Giant Construction Cranes

    Federico Maggi will never forget the first time he saw a crane being hacked.

    Last March, he was on a strange kind of road trip. Travelling the Lombardi region of Italy with his colleague Marco Balduzzi in a red Volkswagen Polo, the pair hoped to convince construction site managers, who they’d never met or spoken with before, to let them have a crack at taking control of cranes with their hacking tools.

    Surprise, surprise: They weren’t having much luck. But one such manager, who Maggi fondly remembers as Matteo, was game. Armed with laptops powered by the VW’s battery, scripts for running their hacks and some radio hardware to beam out the exploit code, Maggi and Balduzzi got to work.

    Matteo was asked to turn off his transmitter, the only one on-site capable of controlling the crane, and put the vehicle into a “stop” state. The hackers ran their script. Seconds later, a harsh beeping announced the crane was about to move. And then it did, shifting from side to side. Looking up at the mechanism below a wide blue sky, Matteo was at first confused.

    “I remember him looking up and asking, ‘Who is doing that ?’ Then he realized the test was successful,” Maggi recalls.

    Matteo’s crane was just the start. Over the coming days and weeks, the researchers, who ply their trade at Japanese cybersecurity giant Trend Micro, became professional “crane spotters.” Able to detect potentially vulnerable machines on site, they embarked on an unprecedented hacking trip.

    They cajoled their way into 14 locations where they were allowed to hack into devices that not only controlled cranes but excavators, scrapers and other large machinery. In every case, their preprepared attack code worked.

    It soon became obvious: Cranes were hopelessly vulnerable. And, unless the manufacturers behind the tools could be convinced to secure their kit, the potential for catastrophic damage was very real. The consequences ranged “from theft and extortion to sabotage and injury,” the researchers wrote in a paper handed to Forbes exclusively ahead of publication on Tuesday.

    The attacks are simple, cheap and open to any person willing to risk launching them, warns Mark Nunnikhoven, VP for cloud security at Trend Micro. “Anyone in range can manipulate these devices.”

    Attack of the cranes

    In layman’s terms, Maggi and Balduzzi were doing something akin to cloning the transmitter typically used by site managers like Matteo.

    But it’s a little more complex than that. The vulberabilities uncovered by Trend Micro’s research team lay not in the vehicles themselves but in the communications between the controllers and the cranes. The benevolent hackers had to reverse engineer those communications coming from the radio frequency (RF) controller. They then had to find ways of copying commands, which came in their own supposedly unique formats, full of quirks the researchers had to figure out.

    They discovered that the data packets containing commands were often transported over the airwaves with little to no security. Where there was basic encoding or encryption of commands, it still didn’t prevent the hackers from replicating commands using a software-defined radio (think of a computer program that acts like a radio running over whatever bandwidth the user sets). “In comparison, consumer-level remote controllers for car or door locks tend to be more secure,” the researchers wrote in their paper.

    Initial testing was carried out on a toy crane in the office. In a lighthearted joke at the potential for damage in the real world, a lonesome-looking teddybear was swiped off of his stool by the miniature arm.

    uncaptioned image

    Construction sites across the world are at risk of being shut down and extorted by hackers, cybersecurity researchers Federico Maggi and Marco Balduzzi warned. They hacked into real life cranes across sites in Italy.Federico Maggi

    They then moved on to Matteo and real building sites. Maggi could either rely on his ability to spot a vulnerable crane controller and quickly launch attacks, or he could “sniff” the traffic passing over various radio frequencies. In a couple of hours, it was possible to determine what devices were in use and whether they could be manipulated or not.

    Five different kinds of attack were tested. They included: a replay attack, command injection, e-stop abuse, malicious re-pairing and malicious reprogramming. The replay attack sees the attackers simply record commands and send them again when they want. Command injection sees the hacker intercept and modify a command. E-stop abuse brings about an emergency stop, while malicious re-pairing sees a cloned controller take over the functions of the legitimate one. And malicious reprogramming places a permanent vulnerability at the heart of the controller so it can always be manipulated.

    So straighforward were the first four types of attack, they could be carried out within minutes on a construction site and with minimal cost. The hackers only required PCs, the (free) code and RF equipment costing anywhere between $100 and $500. To deal with some of the idiosyncracies of the building site tech, they developed their own bespoke hardware and software to streamline the attacks, called RFQuack.

    It might seem like Maggi and Balduzzi had it too easy. But they did encounter one problem, that of energy. Such was the power drain on the little red Polo, with the radio hardware and laptops sucking up the battery, it had to be towed at the end of one day of testing. Maggi had to buy a new battery too.

    Raise your crane game

    On the one hand, attacks by hackers with real malicious motivations could lead to injury or worse. On the other, there’s the risk of theft of expensive vehicles or serious financial damage for construction companies. Imagine cybercriminals had commandeered a fleet of cranes and demanded a ransom to release them. Those lost days, not to mention the payment, could lead to major losses.

    The industry is now being urged to build more robust systems. Amongst the seven vendors whose kit was exploited by Trend’s researchers were Saga, CircuitDesig, Juuko, Autec, Hetronic, Elca and Telecrane. Not one had responded to requests for comment at the time of publication.

    But fixes have been rolling out over the last year. U.S.-government-funded Computer Emergency Response Teams worked with Trend to alert manufacturers and roll out either patches or workarounds.

    For some of the vendors, the very idea of patching systems was new. “Some vendors have released firmware with version 0.00A, which means it’s the very first update they’ve released in their lives,” said Maggi.

    There remain, however, some flaws left open. Two vulnerabilities affecting Juuko controllers, for instance, have not been addressed. They leave open the possibility of replay and command injection hacks. They’ve been left as so-called “zero-days”—previously unknown and unpatched weaknesses. (Juuko contacted Forbes after publication to state that it had updated its firmware that could prevent attacks. It sent the software to Trend Micro's bug disclosure program, ZDI)

    To truly fix the problem across the industry, it would be wise to move away from the esoteric custom protocols currently in use, says Nunnikhoven. Instead, modern, standardized tech would leave it more open to research and, therefore, fixes, Nunnikhoven added.

    For now, the next time you see a crane swinging around your city or town, you’ll have to wonder: Who’s in control?

    Got a tip? Get me on Signal on +447837496820 or use SecureDrop to tip anyone at ForbesEmail at TBrewster@forbes.com or tbthomasbrewster@gmail.com for PGP mail.

    I cover security and privacy for Forbes. I’ve been breaking news and writing features on these topics for major publications since 2010. As a freelancer, I worked for Th...

    #####EOF##### Yes, Cops Are Now Opening iPhones With Dead People's Fingerprints
    26,035 views

    Yes, Cops Are Now Opening iPhones With Dead People's Fingerprints

    The iPhone 8 uses Apple Touch ID, a fingerprint-based security technology that cops are trying to bypass in various ways. It's legally easier to bypass when the owner is dead, Forbes has learned. (AP Photo/Marcio Jose Sanchez)

    In November 2016, around seven hours after Abdul Razak Ali Artan had mowed down a group of people in his car, gone on a stabbing spree with a butcher's knife and been shot dead by a police officer on the grounds of Ohio State University, an FBI agent applied the bloodied body's index finger to the iPhone found on the deceased. The cops hoped it would help them access the Apple device to learn more about the assailant's motives and Artan himself.

    This is according to FBI forensics specialist Bob Moledor, who detailed for Forbes the first known case of police using a deceased person's fingerprints in an attempt to get past the protections of Apple's Touch ID technology. Unfortunately for the FBI, Artan's lifeless fingerprint didn't unlock the device (an iPhone 5 model, though Moledor couldn't recall which. Touch ID was introduced in the iPhone 5S). In the hours between his death and the attempt to unlock, when the feds had to go through legal processes regarding access to the smartphone, the iPhone had gone to sleep and when reopened required a passcode, Moledor said. He sent the device to a forensics lab which managed to retrieve information from the iPhone, the FBI phone expert and a Columbus officer who worked the case confirmed. That data helped the authorities determine that Artan's failed attempt to murder innocents may have been a result of ISIS-inspired radicalization.

    Where Moledor's attempt failed, others have succeeded. Separate sources close to local and federal police investigations in New York and Ohio, who asked to remain anonymous as they weren't authorized to speak on record, said it was now relatively common for fingerprints of the deceased to be depressed on the scanner of Apple iPhones, devices which have been wrapped up in increasingly powerful encryption over recent years. For instance, the technique has been used in overdose cases, said one source. In such instances, the victim's phone could contain information leading directly to the dealer.

    In November 2016, Ohio State University Police officer Alan Horujko shot and killed Abdul Razak Ali Artan after the 20-year-old drove into a crowd outside a classroom building and attacked people with a knife. (AP Photo/John Minchillo)

    No privacy for the dead

    And it's entirely legal for police to use the technique, even if there might be some ethical quandaries to consider. Marina Medvin, owner of Medvin Law, said that once a person is deceased, they no longer have a privacy interest in their dead body. That means they no longer have standing in court to assert privacy rights.

    Relatives or other interested parties have little chance of stopping cops using fingerprints or other body parts to access smartphones too. "Once you share information with someone, you lose control over how that information is protected and used. You cannot assert your privacy rights when your friend's phone is searched and the police see the messages that you sent to your friend. Same goes for sharing information with the deceased - after you released information to the deceased, you have lost control of privacy," Medvin added.

    Police know it too. "We do not need a search warrant to get into a victim's phone, unless it's shared owned," said Ohio police homicide detective Robert Cutshall, who worked on the Artan case. In previous cases detailed by Forbes police have required warrants to use the fingerprints of the living on their iPhones.

    But there are some anxieties around the ability of the police to turn up at a crime scene and immediately start accessing deceased individuals' cellphones without any need for permission. Greg Nojeim, senior counsel and director of the Freedom, Security and Technology Project at the Center for Democracy & Technology, said it's possible in many cases there would be a valid concern about law enforcement using fingerprints on smartphones without any probable cause. "That's why the idea of requiring a warrant isn't out of bounds," Nojeim added.

    Alongside the lack of legal restrictions, the fingerprint method's much cheaper than having to pay a contractor like Cellebrite or U.S. startup GrayShift (whose iPhone hacking tech was revealed by Forbes earlier this month) to unlock a phone. Whilst Cellebrite is believed to charge between $1,500 and $3,000 for each iPhone, GrayShift's GrayKey hacking box costs up to $30,000 for unlimited unlock attempts.  Once the phone's opened, the cops will keep it in that state and send the device to forensics experts. They'll then use tools like Cellebrite's UFED tech to draw all the information out for investigators to explore. More often than not, police will already have those forensics services on hand.

    Face ID hacks

    Police are now looking at how they might use Apple's Face ID facial recognition technology, introduced on the iPhone X. And it could provide an easier path into iPhones than Touch ID.

    Marc Rogers, researcher and head of information security at Cloudflare, told Forbes he'd been poking at Face ID in recent months and had discovered it didn't appear to require the visage of a living person to work. Whilst Face ID is supposed to use your attention in combination with natural eye movement, so fake or non-moving eyes can't unlock devices, Rogers found that the tech can be fooled simply using photos of open eyes. That was something also verified by Vietnamese researchers when they claimed to have bypassed Face ID with specially-created masks in November 2017, said Rogers.

    Secondly, Rogers discovered this was possible from many angles and the phone only seemed to need to see one open eye to unlock. "In that sense it's easier to unlock than Touch ID - all you need to do is show your target his or her phone and the moment they glance it unlocks," he added. Apple declined to comment for this article.

    Obviously, for the average user who's in control of their phone, there isn't much to worry about here. And there's no evidence police have opened victims' iPhones via Face ID. So far. "I don't know that's been used yet," said Moledor. "It's probably going to be same as using the fingerprint. As long as the subject is recognisable, it should work."

    Don't be surprised if cops do start holding iPhone X devices up to the faces of the dead in the near future then, if it hasn't happened already. As Cutshall said: "I've not be told there's a legal issue to use people's fingerprints or facial recognition to get into a phone... [if it's part of a legal process] that'd be something we would do."

    Got a tip? Get me on Signal on +447837496820 or use SecureDrop to tip anyone at ForbesEmail at TBrewster@forbes.com or tbthomasbrewster@gmail.com for PGP mail.

    I cover security and privacy for Forbes. I’ve been breaking news and writing features on these topics for major publications since 2010. As a freelancer, I worked for Th...

    #####EOF##### What Bubble? The Unicorn Boom Has Just Begun
    92,988 views

    Zenefits cofounder Parker Conrad (Christian Peacock for Forbes)

    What Bubble? The Unicorn Boom Has Just Begun

    This story appears in the November 2, 2015 issue of Forbes. Subscribe

    For the anxious throng worried about spiraling startup valuations--a group now big enough to pass for conventional wisdom in Silicon Valley--Zenefits could be the poster child for collective panic. The two-and-a-half-year-old company, which sells cloud software to help businesses manage h.r., payroll and benefits, has been bid up recently to $4.5 billion, a nosebleeding 45 times this year's forecasted revenue and well into the "unicorn" stratosphere. The company is worth more than Sears and Columbia Sportswear and their combined two centuries of operations. Its value has increased $6.6 million for every workday it has been in business.

    For companies like Zenefits, the very name unicorn--a venture-backed private company sporting a valuation above $1 billion--carries irony. The term derives from historic rarity: the idea that an eBay or a Google or a Facebook is a kind of magical occurrence, one that single-handedly turns a portfolio into a blockbuster, a venture capitalist into a superstar. Now it's a downright common benchmark and one that's invoked with a sense of dread as their numbers grow. We count 140 unicorns globally, up from 75 at the end of last year. Most are U.S. firms, but it seems like a new one is minted every week or two in China or India.

    Unicorns, critics say, represent the next risk bubble: so many largely unprofitable firms lacking in rigorous auditing or public disclosures. "We may be nearing the end of a cycle where growth is valued more than profitability," veteran venture capitalist Bill Gurley of Benchmark tweeted in August. "It could be at an inflection point." Skeptics point to the mediocre post-IPO performance of former unicorns Pure Storage and Box as evidence that the chickens have come home to roost. Reports of startups with unworkable business models surface with increasing frequency.

    All fair points, when looking at individual companies this year. But a bubble implies a systemic problem and an existential danger, and when you view these high-growth startups as a long-term portfolio, that's simply not the case. Taken as a whole, the 93 firms based in the U.S. (Americorns?) are worth $322 billion, 14% less than Microsoft and a bit more than Intel and Cisco combined. Which would you rather own long term? Microsoft or a basket that includes Uber, Airbnb, Snapchat and Pinterest along with scores of others, a few of which will surely emerge as future PayPals, Twitters or Fitbits? Is that even a hard decision? And if not, what are we worried about? Quite the contrary: If you're looking for growth, the unicorns minted in the last few years may well be one of the most attractive investments anywhere. (Obviously you can’t buy the whole basket of unicorns, but we did find several retail mutual funds that give you some exposure to them.) 

    Look more closely at Zenefits: It booked $20 million in annually recurring revenue in its first full year of operations and is on track to reach $100 million this year. That's growth the more established enterprise software titans could only have dreamed of when they were startups. It took Salesforce (market cap $50 billion) and Workday ($15 billion) more than five years each to pass $100 million in revenue. Zenefits has raised eyebrows for spending much of its revenue to fuel its growth (adding 1,600 employees to date), but it takes the company just six months to recoup the cost of acquiring a customer. Its CEO boasts that it makes more per user than most other "software as a service" companies. "I have no idea if we are in a bubble," says Zenefits CEO Parker Conrad. "I'm a terrible investor myself. But I know we have some of the most incredible unit economics." (More details on Zenefits here.)

    Here's what's fueling that kind of performance and why this all isn't Pets.com redux: The number of people connected to the Internet has surged from 400 million in 1999 to 3 billion last year. The eight-year-old mobile revolution shows no sign of abating (just look at Apple's iPhone sales), and it is enabling forms of previously unthinkable, more efficient business models. Airbnb, which owns no accommodations, has put up more than 30 million guests so far this year. Uber, which owns no cars, drives 3 million people every day. The same digital transformation is hitting farming, health care, financial services and retail.

    2 FREE Issues of Forbes 

    In light of these changes the amount of money pouring into private tech companies is downright modest: $48 billion in 2014, compared with $71 billion in 1999. When adjusted for inflation, dollars fueling tech startups last year were roughly a third of what they were at the peak of the dot-com bubble, and when adjusted by the number of people online, they were about one-tenth. One-tenth. What's more, rather than being distributed among a large number of early-stage startups--which by definition are the riskiest ones--most of the investment is now concentrated on a far smaller number of more established companies.

    Because they're betting on fewer but bigger companies, blue-chip VCs--including Zenefits backers Andreessen Horowitz, Khosla Ventures and Founders Fund--and institutional investors like Fidelity and TPG are willing to lean forward further than usual. "Zenefits is growing at a rate that people haven't seen before against a massive market opportunity," says Scott Kupor, managing partner at Andreessen Horowitz, who scoffs at the notion that institutional investors don't know how to value startups. "When smart public market investors build a financial model incorporating that growth rate against their required net internal rate of return, the valuation makes sense."

    The Chicken Little crowd likes to point to the new generation of Web giants, the Pinterests and Snapchats, which are valued more by their users than by their revenue--the same issue that got everyone in trouble during the dot-com bubble. The difference--and it's a significant one--is that now there are well-understood and proven revenue models for social media platforms. Plenty cried bubble when Google purchased YouTube for $1.65 billion in 2006, when Facebook got valued at $15 billion in 2007 and again when Facebook paid $1 billion for Instagram in 2012. Now YouTube is widely considered one of the best acquisitions of the Internet era, Facebook is worth $250 billion and Instagram is expected to bring in $600 million in revenue this year and already has one-third more users than Twitter, which despite its well-publicized challenges is still valued at about $20 billion.

    A similar dynamic is at work with software-as-a-service (SaaS) companies. Josh James, who sold his first enterprise software company, Omniture, to Adobe for $1.8 billion in 2009, says his new business-intelligence startup, Domo, is growing far faster into its valuation, $2 billion. "There's a true understanding of SaaS as a business," James says. For every dollar Domo invests, it gets a dollar back in the first year and $1.70 back in the second year, he says. "That's a pretty good return profile." (More details on Domo here.)

    uncaptioned image

    Domo founder Josh James (Christian Peacock for Forbes)

    The presence of so many unicorns is not necessarily a signal of heightened risk. High-growth companies are merely substituting private market capital for the public markets. And why not? Cash is plentiful, and staying private longer avoids the headaches of an IPO and the quarterly shareholder dance. In 2000 venture-backed tech companies raised $42 billion in 261 IPOs, compared with $10 billion in 53 IPOs last year. What's more, much of the value appreciation that used to follow an IPO is now occurring before companies go public. More than 99% of Microsoft's value was created in the public markets; for Google the figure is more than 90% and for Facebook just north of 60%. Twitter? Its entire $20 billion in market value accrued when it was private.

    Some valuations do get propped up from a fear of missing out as investors all chase the next LinkedIn or Salesforce. No doubt they're throwing money at companies that will never reach those heights. Many will fail altogether. And the VC firms, hedge funds and mutual funds are often able to demand favorable terms--downside protections and antidilution measures--that would make them whole even if values decline. Those factors have certainly contributed to artificially pumping up some valuations. In some areas, notably China, which is suffering from an overall economic slowdown, a pullback could be significant.

    But even a selective correction won't trigger an across-the-board crash. Not a chance. Too many unicorns have proven they have growing, sustainable businesses. Despite the lackluster IPOs of Box, New Relic and Pure Storage, these are not dot-com-crash disappointments--merely healthy companies that were a bit overvalued. They're not about to fail and could still soar past their IPO prices in a year or two (remember Facebook?). And even if investors get spooked and decide to stop lavishing cash on unicorns, most companies have the balance sheets and wherewithal to survive long winters. There might be some belt-tightening and some painful layoffs but not a sudden pop. "For many companies it's striking how long the runway is," says investor Peter Thiel. "It suggests people are more fearful than greedy."

    That's largely why someone like Chris Wanstrath, the CEO of GitHub, a $2 billion cloud-based management service for software development, doesn't lose sleep over the bubble talk. GitHub was profitable for four years before it raised two rounds totaling $350 million. It's now plowing cash into growth but could return to profitability if it had to. "We took the funding because things are going well, and we want to accelerate our business," Wanstrath says. Big customers such as Target, John Deere and Ford are using GitHub to modernize their operations through software. "That's not going to change even if there's a downturn," Wanstrath adds. "We'll be okay, really."

    Miguel Helft is the San Francisco Bureau Chief for Forbes. Follow him on Twitter at @mhelft.

    I’m San Francisco bureau chief and technology editor at Forbes. I’ve been covering the tech industry from Silicon Valley since about the time of the Netscape IPO. I've w>...

    #####EOF#####